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Remarks 

New claim 13 

New claim 13 adds the limitation, 

the additional type of action is defined by a user of the policy 
enforcement system; and 

the policy enforcement system includes a user interface for 
extending the policy database by adding the user-defined additional type 
of action thereto. 

The user interface is described in detain beginning at page 93, line 20 and shown in FIGs. 
31-37. As pointed out at page 91, lines 12-15, "the general techniques described above 
for defining new kinds of attributes may be employed elsewhere in policy database 2901 
to define new actions, new ways of identifying users, and new types of resources." 

The rejections of claims 8-12 under 35 U.S.C. 101 

Applicants have amended independent claims 8 and 10 to specifically point out what is 
clear from FIG. 27 and the discussion of the figure beginning at page 81, line 21, namely 
that the claimed policy database "is implemented in a data storage device that is 
accessible to a processor", the processor appearing as policy server 2617 in FIG. 27 and 
the data storage device appearing as policy server database 2619 in the figure. The 
claims as amended further specifically point out the interaction between policy server 
database 2619 and policy server 2617. The claims as amended are thus addressed to a 
component of a system that is implemented using a processor and a storage device 
accessible thereto and are therefore addressed to patentable subject matter. As is 
apparent from FIG. 27, the amendments only make explicit what was implied in the 
claims as filed and consequently do not materially change the scope of the claims as filed. 
Because the amendment overcomes the rejection with regard to the independent claims, it 
also overcomes the rejection with regard to the dependent claims. 

Traversal of the rejection under 35 U.S.C 112, first paragraph 

In his rejection of claims 8-12 under 35 U.S.C. 112, first paragraph, Examiner confuses 
the requirements of 35 U.S.C. 101 with those of 35 U.S.C. 112, first paragraph. The 
issue in 35 U.S.C. 112, first paragraph is solely whether 
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The specification [contains] a written description of the invention, and of the 
manner and process of making and using it, in such full, clear, concise, and 
exact terms as to enable any person skilled in the art to which it pertains, or 
with which it is most nearly connected, to make and use the same, and shall 
set forth the best mode contemplated by the inventor of carrying out his 
invention. (35 U.S.C. 112, first paragraph) 

In this case, what is claimed in independent claims 8 and 10 in the application as filed is 
"a policy database wherein policies are defined in terms of sets of first entities, sets of 
second entities, and actions". Applicants' Specification explains how to make and use 
such a policy database in 98 pages of text and 37 Figures, of which 20 pages, beginning 
at page 79, and 1 1 figures, beginning with FIG. 26, are devoted to the particular new 
features which are the subject matter of claims 8 and 10. Applicants' attorney believes 
that no serious person "skilled in the art to which [Applicant's invention] pertains" 
would maintain that Applicants' specification does not fulfill the requirements of 35 
U.S.C. 1 12, first paragraph. Applicants' attorney is strengthened in this belief by the fact 
that the greater portion of the present Application's Specification is shared with 5 other 
patent applications, four of which have been issued and one of which is still in 
prosecution, and this is the first time in all of these prosecutions that any examiner has 
raised the issue of lack of support under 35 U.S.C. 1 12. 

The rejection under 35 U.S.C. 112, second paragraph 

35 U.S.C. 1 12, second paragraph, requires that Applicants' claims 

particularly point[] out and distinctly claim[] the subject matter which the applicant 
regards as his invention. 

Applicants' language with regard to his "sets of first entities" and "sets of second 
entities" is to be sure broad, but 35 U.S.C. 112, second paragraph, is not directed against 
broad claim language, but only against indefinite claim language. Applicants' claim 
language is not indefinite. It particularly points out that the sets of first entities, the sets 
of second entities, and the policies are related in that "a given policy defin[es] a given 
action which an entity belonging to a given set of the first entities may perform on an 
entity belonging to a given set of the second entities". Since the only relationships 
between the sets of entities and the actions which are of importance to the claim are those 
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produced by the policies, there is no need for a more precise definition of what the 
entities are, particularly where, as set forth at page 85, lines 16-25 of Applicants' 
Specification, 

Continuing in more detail with generalized policy syntax 2801, Entity 
represents a user group whose members are defined by one of the 
techniques employed in access filter 203 or by a technique defined by an 
administrator of policy server 2617; The only requirement for the entity is 
that it be recognizable by policy enforcer 2609. Action represents an 
action which may simply be access as in access filter 203 or an action 
defined by an administrator of policy server 2617; the only requirement 
for the action is that policy enforcer 2609 be able to cause the action to be 
performed on a resource. Resource represents an information set. In the 
generalized policy server, however, an information set may be a set of 
devices such as a printers or file servers. The only requirement for a 
resource is that policy enforcer 2609 be able to cause the action to be 
performed on the resource. 

The objection to claims 5-7 as being in improper form 

Applicants have amended these claims so that they are properly multiply dependent from 
claims 1-4 and new claim 13. 

The rejection of claims 1-13 under 35 U.S.C. 102 

The rejection of claim 1 

A rejection of a claim under 35 U.S.C. 102 requires that every limitation of the claim be 
disclosed in the reference which forms the basis of the rejection, see MPEP 2131. Claim 
1 is an improvement claim; in such claims, the limitations of the claim's preamble are 
limitations of the claims as a whole. See Chisum on Patents 8.06[l][d] and the cases 
discussed there. In the case of claim 1, the limitations of the preamble include "a policy 
server including a policy database of the policies" and "a policy enforcer ... the policy 
enforcer permitting performance of the action only if a response from the policy server 
indicates that the policies permit the action." 

Examiner finds all of the limitations of Applicants' claim 1 in Jarvis. What Jarvis 
discloses is well summarized in the patent's Abstract: 
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A policy-driven network traffic manager recommends to individual 
application programs that generate network traffic whether, and optionally 
under what conditions, they should generate network traffic. The network 
traffic manager has an interface, through which the application programs, 
prior to generating network traffic, call the network traffic manager and 
describe the traffic the application programs propose to generate. A policy 
repository stores a set of policies, which the network traffic manager uses 
to ascertain whether the application programs should generate the 
proposed network traffic. The policies can include considerations such as 
time, link cost, latency, congestion and availability. The network traffic 
manager then sends the recommendations to the application programs. 

At the highest level, the problem with Jarvis as a reference is that it does not disclose 

a policy enforcement system for enforcing policies defining what actions 
belonging to a first type thereof first entities defined in a computer system 
may perform on second entities defined in the computer system (claim 1, 
lines 1-3, emphasis added) 

Instead, it discloses "a policy-driven network traffic manager" that recommends 
(emphasis added) to individual application programs that generate network traffic 
whether, and optionally under what conditions, they should generate network traffic". 

As one would expect from the fact that Jarvis "recommends" whether individual 
application programs should generate network traffic, there is nothing in Jarvis that 
corresponds to the policy enforcer of Applicants' claim 1, which 

controls performance of the first type of action and is capable of 
communicating a request to perform an action of the first type to the 
policy server, the policy enforcer permitting performance of the action 
only if a response from the policy server indicates that the policies permit 
the action 

In his rejection, Examiner takes policy editor 209 (Fig. 2) to be Applicants' policy 

enforcer and refers Applicants to col. 5, line l-col.6, line 12. The only disclosure 

concerning policy editor 209 in that portion of Jarvis, and indeed in all of Jarvis, is found 

at col. 5, lines 63-66: 

The ability to augment and change the policies through the policy editor 
209, together with the interpretation of the policies by the server 204, 
makes the policies easily extendible. 
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FIG. 2 further shows policy editor 209 communicating only with policy repository 206, 
not with server 204 or clients 200, and col. 5, lines 53-66 confirms what would be 
expected by that arrangement, namely that policy editor 209 is used to augment and edit 
policies. That being the case, it cannot and does not control performance of anything, 
does not communicate requests to the policy server, and does not permit performance of 
an action only if a response from the policy server indicates that the policies permit the 
action. That policy editor 209 does none of these things may further be immediately seen 
from its complete absence in the flowchart of FIGs. 4A and 4B, which sets forth the 
process by which Jarvis' server 204 provides a suggestion 214 to a client 200. Policy 
editor 209 is therefore clearly not Applicants' policy enforcer, and since that is the case, 
Jarvis does not anticipate Applicants' claim 1. 

Patentability of the claims that are dependent from claim 1 

Because Jarvis does not anticipate claim 1, it also cannot anticipate any of the claims 

dependent therefrom. In addition, however, Jarvis does not disclose the added limitations 

of these claims. With regard to claims 5-7, the added limitations of these claims are 

limitations that involve the policy enforcer; since there is no policy enforcer in Jarvis, it 

cannot disclose these limitations. With regard to dependent claim 2,among the added 

limitations is the following: 

the policy database is of the class wherein policies are defined in terms of 
sets of the first entities and sets of the second entities (lines 2-3) 

There is simply no indication whatever in Jarvis that Jarvis' clients 200 are divided into 

sets of clients and his traffic types are divided into sets of traffic types or that his policies 

are defined in terms of sets of clients and sets of traffic types. Instead, FIG. 3 and the 

description of policies at col. 5, lines 25-40 indicate that the control information used by 

the server to make recommendations includes formulas, and as indicated at lines 37-41, 

The formulas make use of factors and considerations that include, but are 
not limited to, source address, destination address, source LAN area, 
destination LAN area, link-up cost, link open cost, link packet cost, link 
throughput, traffic type, timetables and expected packet count. 
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Since Jarvis does not disclose definition of policies in terms of sets of the first entities 
and sets of the second entities, claim 2 is patentable over Jarvis in its own right. Claim 3 
is dependent from claim 2 and is additionally patentable for that reason over Jarvis. 
Claim 4 adds the limitation that the database is further extensible to include an additional 
type of action. In Jarvis, the user can add policies for new clients and new network links 
(see col. 6, lines 18-24), but the possible actions are fixed: the server makes a 
recommendation to the client or the server makes a callback to a function in the client 
(FIG. 2, 214, 218, col. 7, lines 32-53). Jarvis therefore does not disclose the added 
limitation of claim 4 and the claim is patentable in its own right over the reference. 

Concerning claim 13, the added limitations of this claim are 

the additional type of action is defined by a user of the policy 
enforcement system; and 

the policy enforcement system includes a user interface for 
extending the policy database by adding the user-defined additional type 
of action thereto. 

As pointed out in the discussion of claim 4, Jarvis does not permit definition of additional 
types of actions; the added limitations of claim 13 are thus not disclosed in Jarvis and the 
claim is patentable in its own right over the reference. 

The reference, Spencer, et al, "The Flask security architecture: System support for 
diverse security policies " 

FIG. 1 of Spencer, et al., The Flask security architecture: System support for diverse 
security policies (henceforth "Spencer") shows a security architecture which includes 
both a policy enforcer and a policy >server, and the reference's disclosure would thus 
appear to be more relevant than that of Jarvis. It is unclear what the publication date of 
Spencer is. Examiner lists the date of the reference as 1998 in his form PTO-892, but the 
paper itself is labeled Draft, March 1999 and the bibliographical listing on the form PTO- 
890 indicates that the paper was intended for "usenixsec 1999", which applicants' 
attorney would take to mean a USENIX conference devoted to security which took place 
in 1999. 
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Applicants' application, though having a PCT filing date of June 28, 1999, claims 
priority from provisional application 60/091,130, filed June 29, 1998 and is a CIP of US 
09/304,507, filed 3/4/98, which in turn claims priority from the provisional applications 
60/039,542 and 60/040,262, both filed 3/10/97. As pointed out at page 84, lines 10-15 of 
Applicants' Specification, policy evaluation, and policy enforcement were logically 
separate in the system disclosed in US 09/304,507. The tentative conclusion that 
Applicants' attorney draws from all of this is that Spencer is not available as a reference 
against Applicants' application, either because is was published after the filing date of the 
provisional application 60/091,130 or because it was published after the filing date of 
USSN 09/304,507, or because it was published after the filing dates of provisional 
applications 60/039,652 or 60/040,262. 

Conclusion 

Applicants have amended claims 8 and 12 to overcome the rejection under 35 U.S.C. 
101, have amended claim 1 to make it clear that the additional policy enforcer is a 
limitation of the claim, have amended claims 5-7 so that they are proper multiply 
dependent claims, and have added a new claim 13. Applicants have demonstrated that all 
of the amendments are fully supported by the Specification as filed. Applicants have 
further traversed the rejections under 37 C.F.R. 112 and the rejections under 35 U.S.C. 
102 and have thereby been fully responsive to Examiner's Office action of 10/25/04. 
Applicants have also brought Spencer to Examiner's attention and have pointed out why 
it is apparently not available as a reference. 
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Applicants have thereby satisfied the requirements of 37 C.F.R. 1.111(b) and 
respectfully request that Examiner continue with his examination, as provided by 37 
C.F.R. 1.111 (a). A check of $200.00 for the four new independent claims that have been 
added by way of this amendment is attached. Please charge any additional fees required 
for this response or refund any overpayment to deposit account number 501315. 
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